From eb79fee19724dcfde162892cfb4b9175a470308a Mon Sep 17 00:00:00 2001

From: Simon Kelley <simon@thekelleys.org.uk>

Date: Tue, 5 Dec 2017 22:37:29 +0000

Subject: [PATCH] Fix infinite retries in strict-order mode.

 If all configured dns servers return refused in

 response to a query; dnsmasq will end up in an infinite loop

 retransmitting the dns query resulting into high CPU load.

 Problem is caused by the dns refuse retransmission logic which does

 not check for the end of a dns server list iteration in strict mode.

 Having one configured dns server returning a refused reply easily

 triggers this problem in strict order mode. This was introduced in

 9396752c115b3ab733fa476b30da73237e12e7ba

 Thanks to Hans Dedecker <dedeckeh@gmail.com> for spotting this

 and the initial patch.

(cherry picked from commit ef3d137a646fa8309e1ff5184e3e145eef40cc4d)

---

 src/forward.c | 14 ++++++++++++--

 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/forward.c b/src/forward.c

index 255d6c0..e61cd50 100644

--- a/src/forward.c

+++ b/src/forward.c

@@ -804,10 +804,20 @@ void reply_query(int fd, int family, time_t now)

       unsigned char *pheader;

       size_t plen;

       int is_sign;

-      

+

+      /* In strict order mode, there must be a server later in the chain

+	 left to send to, otherwise without the forwardall mechanism,

+	 code further on will cycle around the list forwever if they

+	 all return REFUSED. Note that server is always non-NULL before 

+	 this executes. */

+      if (option_bool(OPT_ORDER))

+	for (server = forward->sentto->next; server; server = server->next)

+	  if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR | SERV_LOOP)))

+	    break;

+

       /* recreate query from reply */

       pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign, NULL);

-      if (!is_sign)

+      if (!is_sign && server)

 	{

 	  header->ancount = htons(0);

 	  header->nscount = htons(0);

-- 

2.26.2